// For flags

CVE-2022-21698

Uncontrolled Resource Consumption in promhttp

Severity Score

7.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

client_golang is the instrumentation library for Go applications in Prometheus, and the promhttp package in client_golang provides tooling around HTTP servers and clients. In client_golang prior to version 1.11.1, HTTP server is susceptible to a Denial of Service through unbounded cardinality, and potential memory exhaustion, when handling requests with non-standard HTTP methods. In order to be affected, an instrumented software must use any of `promhttp.InstrumentHandler*` middleware except `RequestsInFlight`; not filter any specific methods (e.g GET) before middleware; pass metric with `method` label name to our middleware; and not have any firewall/LB/proxy that filters away requests with unknown `method`. client_golang version 1.11.1 contains a patch for this issue. Several workarounds are available, including removing the `method` label name from counter/gauge used in the InstrumentHandler; turning off affected promhttp handlers; adding custom middleware before promhttp handler that will sanitize the request method given by Go http.Request; and using a reverse proxy or web application firewall, configured to only allow a limited set of methods.

client_golang es la biblioteca de instrumentación para aplicaciones Go en Prometheus, y el paquete promhttp en client_golang proporciona herramientas en torno a los servidores y clientes HTTP. En client_golang versiones anteriores a 1.11.1, el servidor HTTP es susceptible de una Denegación de Servicio mediante una cardinalidad no limitada, y un potencial agotamiento de la memoria, cuando es manejado peticiones con métodos HTTP no estándar. Para ser afectado, un software instrumentado debe usar cualquiera de los middleware "promhttp.InstrumentHandler*" excepto "RequestsInFlight"; no filtrar ningún método específico (por ejemplo GET) antes del middleware; pasar la métrica con el nombre de la etiqueta "method" a nuestro middleware; y no presentar ningún firewall/LB/proxy que filtre las peticiones con "method" desconocido. client_golang versión 1.11.1 contiene un parche para este problema. Se presentan varias medidas de mitigación disponibles, incluyendo la eliminación del nombre de la etiqueta "method" del contador/calibre usado en el InstrumentHandler; la deshabilitación de los manejadores promhttp afectados; la adición de un middleware personalizado antes del manejador promhttp que sanee el método de petición dado por Go http.Request; y el uso de un proxy inverso o un firewall de aplicaciones web, configurado para permitir sólo un conjunto limitado de métodos

A denial of service attack was found in prometheus/client_golang. This flaw allows an attacker to produce a denial of service attack on an HTTP server by exploiting the InstrumentHandlerCounter function in the version below 1.11.1, resulting in a loss of availability.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
None
Integrity
None
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2021-11-16 CVE Reserved
  • 2022-02-15 CVE Published
  • 2024-08-03 CVE Updated
  • 2024-10-31 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-400: Uncontrolled Resource Consumption
  • CWE-770: Allocation of Resources Without Limits or Throttling
  • CWE-772: Missing Release of Resource after Effective Lifetime
CAPEC
References (24)
URL Tag Source
https://github.com/prometheus/client_golang/releases/tag/v1.11.1 Release Notes
https://github.com/prometheus/client_golang/security/advisories/GHSA-cg3q-j54f-5p7p Issue Tracking
URL Date SRC
URL Date SRC
https://github.com/prometheus/client_golang/pull/962 2023-11-07
https://github.com/prometheus/client_golang/pull/987 2023-11-07
URL Date SRC
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2IK53GWZ475OQ6ENABKMJMTOBZG6LXUR 2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2PFW6Q2LXXWTFRTMTRN4ZGADFRQPKJ3D 2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/36GUEPA5TPSC57DZTPYPBL6T7UPQ2FRH 2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3L6GDN5S5QZSCFKWD3GKL2RDZQ6B4UWA 2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4KDETHL5XCT6RZN2BBNOCEXRZ2W3SFU3 2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5OGNAFVXSMTTT2UPH6CS3IH6L3KM42Q7 2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7V7I72LSQ3IET3QJR6QPAVGJZ4CBDLN5 2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AK7CJBCGERCRXYUR2EWDSSDVAQMTAZGX 2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DLUJZV3HBP56ADXU6QH2V7RNYUPMVBXQ 2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FY3N7H6VSDZM37B4SKM2PFFCUWU7QYWN 2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HLAQRRGNSO5MYCPAXGPH2OCSHOGHSQMQ 2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/J5WPM42UR6XIBQNQPNQHM32X7S4LJTRX 2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KBMVIQFKQDSSTHVVJWJ4QH6TW3JVB7XZ 2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MH6ALXEQXIFQRQFNJ5Y2MJ5DFPIX76VN 2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RN7JGC2LVHPEGSJYODFUV5FEKPBVG4D7 2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SASRKYHT5ZFSVMJUQUG3UAEQRJYGJKAR 2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZKORFJTRRDJCWBTJPISKKCVMMMJBIRLG 2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZY2SLWOQR4ZURQ7UBRZ7JIX6H6F5JHJR 2023-11-07
https://access.redhat.com/security/cve/CVE-2022-21698 2024-07-18
https://bugzilla.redhat.com/show_bug.cgi?id=2045880 2024-07-18
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Prometheus
Search vendor "Prometheus"
 Client Golang
Search vendor "Prometheus" for product "Client Golang"
 < 1.11.1
Search vendor "Prometheus" for product "Client Golang" and version " < 1.11.1"
go
Affected
Fedoraproject
Search vendor "Fedoraproject"
 Fedora
Search vendor "Fedoraproject" for product "Fedora"
 34
Search vendor "Fedoraproject" for product "Fedora" and version "34"
-
Affected
Fedoraproject
Search vendor "Fedoraproject"
 Fedora
Search vendor "Fedoraproject" for product "Fedora"
 35
Search vendor "Fedoraproject" for product "Fedora" and version "35"
-
Affected
Fedoraproject
Search vendor "Fedoraproject"
 Fedora
Search vendor "Fedoraproject" for product "Fedora"
 36
Search vendor "Fedoraproject" for product "Fedora" and version "36"
-
Affected
Fedoraproject
Search vendor "Fedoraproject"
 Extra Packages For Enterprise Linux
Search vendor "Fedoraproject" for product "Extra Packages For Enterprise Linux"
 7.0
Search vendor "Fedoraproject" for product "Extra Packages For Enterprise Linux" and version "7.0"
-
Affected
Fedoraproject
Search vendor "Fedoraproject"
 Extra Packages For Enterprise Linux
Search vendor "Fedoraproject" for product "Extra Packages For Enterprise Linux"
 8.0
Search vendor "Fedoraproject" for product "Extra Packages For Enterprise Linux" and version "8.0"
-
Affected
Rdo Project
Search vendor "Rdo Project"
 Rdo
Search vendor "Rdo Project" for product "Rdo"
--
Affected
Fedoraproject
Search vendor "Fedoraproject"
 Fedora
Search vendor "Fedoraproject" for product "Fedora"
 35
Search vendor "Fedoraproject" for product "Fedora" and version "35"
-
Affected
Fedoraproject
Search vendor "Fedoraproject"
 Fedora
Search vendor "Fedoraproject" for product "Fedora"
 36
Search vendor "Fedoraproject" for product "Fedora" and version "36"
-
Affected
Fedoraproject
Search vendor "Fedoraproject"
 Fedora
Search vendor "Fedoraproject" for product "Fedora"
 37
Search vendor "Fedoraproject" for product "Fedora" and version "37"
-
Affected